Memory Forensics analysis

Presented by:-

Anishka Singh

Everything in OS traverse RAM:-

Network Sockets and URLs

Windows Registry keys

Hardware Configuration

Password,caches and clipboards

User generated contents

MALWARE

CPU

Cache

RAM

Virtual Memory

Disk

DIGITAL FORENSIC ANALYSIS

Goals of Digital Forensics

Identify Digital Evidence

Generally only a part of crime investigation

Examples

computer intrusion

unauthorized use of corporate computers

any physical crime whose suspect had a computer

Three major phases:

Acquisition

Analysis

Presentation

Acquisition Phase

Which data as digital evidence ????????

Goal is to save the state of digital system for analysis.

Similar to taking photographs, fingerprints, blood samples, from a crime scene.

The allocated and unallocated areas of a hard disk are copied known as image.

Tools are used to copy data from the suspect storage device to a trusted device.

Tools must modify the suspect device as little as possible and copy all data.

Capture the acquired data for identifying pieces of evidence.

Acquistion : MoonSols Kit for obtaining memory

image Advanced toolkit for Windows physical memory snapshot management.

Designed to deal with :- A) Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 7 both 32-bits and 64-bits (x64) Editions). B)Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions). C)Raw memory dump files (from memory acquisition tools like win32dd or win64dd, or Virtualization application like VMWare.

Contains new version of win32dd and win64dd.

C:\win32dd.exe /l /f mem1.vmem

Identify Context

Find KPCR

Parse Memory Structure

Executive Process Blocks

Process Environment Blocks

Track loaded DLLs

Virtual Address Descriptor

Process Memory Sections

Kernel Modules

Drivers

Scan For outliers

Unlinked Process DLLs,sockets and threads

Unmapped page with execute privelage

Hook Detection

Know Heuristics and signatures

Analysis of Memory through volatility

Open collection of tools. Python implemented under GNU General Public License for the extraction

of digital artifacts from volatile memory (RAM).

Extraction performed are independent of system being investigated but offer unprecedented visibilty into the runtime state of system.

Intended to introduce people:-

Techniques and complexities associated with extracting digital artifacts from volatile memory samples

Work into this exciting area of research.

Volatility Supports x86 Windows versions

Windows XP SP 2, 3

Windows 2003 Server SP 0, 1, 2

Windows Vista SP 0, 1, 2

Windows 2008 Server SP 1, 2

Windows 7 SP 0, 1

Running Process

Image Date and Time

Open Network Sockets & connections

DLLs Loaded For Process Open Registry Handles

Processs addressable Memory

OS Kernel Modules

Mapping Physical offset to virtual address

Virtual address Descriptor Information

Scanning Process , threads, modules

Extract Executables From Memory Samples

Static RAM analysis from an image or

against a live system Enumerate all running processes, including those hidden by

rootkits, and display associated DLLs, network sockets and handles in context.

Dump a process and associated DLLs for further analysis in third-party tools.

Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.

Volatility provides VAD tree analysis and exposes registry artifacts in memory and will parse and display handle information from memory.

Image Name

Legitimate process? Spelled correctly? Matches system

context

Full Path

Appropriate path for system executable?

Running from

a user or temp directory

Parent Process

Is the parent

Process what you would expect?

Command Line

Executable

matches image

name?

Do arguments

make sense?

Start Time

Was the process

started at boot

(with other system

processes)?

Processes started

near time of known

attack.

Analyzing Processes

Volatility Commands

a)Spot hidden processes psxview

b)List all processes pslist, psscan

c)Show a registry key printkey -K key

d)Extract process image procexedump

e)Extract process memory memdump, vaddump

f)List open handles, files, DLLs

and mutant objects

handles, filescan, dlllist,

mutantscan

g)List services, drivers and

kernel modules

svcscan, driverscan, modules,

modscan

h)View network activities connscan, connections,

sockets, sockscan, netscan

i)View activity timeline timeliner, evtlogs

j)Find and extract malware malfind, apihooks

Imageinfo

Used for Knowing what type of system your image came from.

Output shows suggested profile that you should pass as the parameter to --profile=PROFILE.

$ volatility f imagename imageinfo For most accurate and fastest results supply the profile and KDBG to other Volatility commands.

Pslist

Use to list the processes of a system. Walks doubly-linked list pointed by PsActiveProcessHead. Does not detect hidden or unlinked processes.

Syntax:- $ volatility f --profile=profilename mem1.vmem pslist

Pstree

Used for viewing the process listing in tree form. Enumerates processes using the same technique

as pslist. Child process are indicated using indention and

periods. $ volatility profile=profilename f imagename pstree

Psscan

To enumerate processes using pool tag scanning, use this command.

Finds processes that are previously terminated (inactive) and hidden or unlinked by a rootkit.

$ volatility f imagename psscan

Connscan

Used for finding connection structures using pool tag scanning.

Finds artifacts from previous connections that have been terminated.

It may find false positives sometimes, you also get the benefit of detecting as much information as possible.

$ volatility f imagename connscan

Malfind

Used for:- Finding hidden or injected code/DLLs in user mode memory,

based on characteristics such as VAD tag and page permissions.

Locating sequence of bytes, regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory.

$ volatility f imagename malfind D directoryname

Apihook

Used for finding API hooks in user mode or kernel mode. It finds IAT, EAT, Inline style hooks, and several special types of

hooks. For Inline hooks, it detects CALLs and JMPs to direct and

indirect locations, and it detects PUSH/RET instruction sequences.

Special types of hooks that it detects include syscall hooking in ntdll.dll and calls to unknown code pages in kernel memory.

$ volatility f imagename apihook

Dlllist

For displaying a process's loaded DLLs, use this command. It walks the doubly linked list of LDR_DATA_TABLE

_ENTRY structures pointed by PEB's InLoad Order Module

List. DLLs are automatically added to this list when a process calls

LoadLibrary and they aren't removed until FreeLibrary is called and the reference count reaches zero.

$ volatility f imageinfo dlllist

Dlldump

For extracting a DLL from a process's memory space and dump it to disk for analysis, use this command. We can: Dump all DLLs from all processes . Dump all DLLs from a specific process (with --pid=PID) . Dump all DLLs from a hidden/unlinked process (with --

offset=OFFSET) . Dump a PE from anywhere in process memory (with --

base=BASEADDR), this option is useful for extracting hidden DLLs.

$ volatility f imagename dlldump D directoryname

Handles

Used for displaying the open handles in a process. Process obtains a file handle by calling functions such as

CreateFile, and the handle will stay valid until CloseHandle is called. This concept applies for registry keys, mutexes, named pipes, events, window stations, desktops, threads, and all other types of objects.

$ volatility f imagename handles

Getsids

For viewing the SIDs (Security Identifiers) associated with a process, use this command.

It helps you to identify processes which have maliciously escalated privileges.

$ volatility f imageinfo getsids

Memmap

For a brief inspection of the addressable memory pages in a process use this command. $ volatility f imagename p PID memmap

Memdump

To extract all data from the various memory segments in

a process and dump them to a single file, use the

memdump command.

$ volatility --profile=Win7SP0x86 -f imagename p PID memdump D directoryname/

Procmemdump

o For dumping a process's executable (including the slack space), use the procmemdump command.

o Optionally, pass the --unsafe or -u flags to bypass certain sanity checks used when parsing the PE header.

o Some malware will intentionally forge size fields in the PE header so that memory dumping tools fail.

$ volatility --profile=Win7SP0x86 -f imagename -p PID procmemdump -D memory/

Procexedump

To dump a process's executable (not including the slack space), use the procexedump command. $ volatility --profile=Win7SP0x86 -f imagename -p PID procmemdump -D memory/

Vadinfo

The vadinfo command displays extended information about a process's VAD nodes. In particular, it shows: The address of the MMVAD structure in kernel memory. The starting and ending virtual addresses in process memory. The VAD Tag. The name of the memory mapped file (if one exists) . The memory protection constant (permissions). $ volatility --profile=Win7SP0x86 -f imagename -p PID vadinfo

Modules

To view the list of kernel drivers loaded on the system, use the modules command.

This walks the doubly-linked list of LDR_DATA_TABLE _ENTRY structures pointed to by

PsLoadedModuleList. It cannot find hidden/unlinked

kernel drivers.

$ volatility --profile=Win7SP0x86 -f imagename modules

modscan

For scanning physical memory for kernel modules, use this command.

It can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits.

$ volatility --profile=Win7SP0x86 -f win7.dmp modscan

Ssdt

To list the functions in the Native and GUI SSDTs, use the ssdt command. It displays the index, function name, and owning driver for each entry in the SSDT. Some important points:- Windows has 4 SSDTs by default (you can add more with

KeAddSystemServiceTable), but only 2 of them are used - one for Native functions in the NT module, and one for GUI functions in the win32k.sys module.

Multiple ways to locate the SSDTs in memory:- o Some tools do it by finding the exported KeServiceDescriptorTable

symbol in the NT module. o Volatility scans for ETHREAD objects and gathers all unique

ETHREAD.Tcb.ServiceTable pointers.It is more robust and complete, as it can detect when rootkits make copies of the existing SSDTs and assign them to particular threads.

$ volatility --profile=Win7SP0x86 -f imagename ssdt

Driverscan

For scaning DRIVER_OBJECTs in physical memory, use this command.

The DRIVER_OBJECT contains the 28 IRP (Major Function) tables.

$ volatility --profile=Win7SP0x86 -f imagename driverscan

To detect listening sockets for any protocol (TCP, UDP, RAW, etc), use the sockets command.

It walks a singly-linked list of socket structures which is pointed to by a non-exported symbol in the tcpip.sys module.

It works for Windows XP and Windows 2003 Server only.

$ volatility f imagename --profile=WinXPSP3x86 sockets

Volatility is the only memory forensics framework with the ability to carve registry data. Variour registry commands are:- a) Hivescan b) Hivelist c) Printkey

Hivescan

To find the physical addresses of CMHIVEs (registry hives) in memory, use the hivescan command. $ volatility --profile=Win7SP0x86 -f imagename hivescan

Hivelist

To locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk, use this command. $ volatility --profile=Win7SP0x86 f imagename hivelist

Printkey

For displaying the subkeys, values, data, and data types contained within a specified registry key, use this command.

By default it will search all hives and print the key information (if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.

$ volatility --profile=Win7SP0x86 -f imagename printkey -K "Microsoft\Security Center\Svc"

Idt

To print the system's IDT (Interrupt Descriptor Table), use the idt command.

It displays the purpose of the interrupts, along with the current address and owning module.

Some rootkits hook the IDT entry for KiSystemService, but point it at a routine inside the NT module (where

KiSystemService should point). However, at that

address, there is an Inline hook detected by Idt.

$ volatility idt -f imagename

Gdt

To print the system's GDT (Global Descriptor Table), use the gdt command.

It is useful for detecting rootkits like Alipop that install a call gate so that user mode programs can call directly into kernel mode (using a CALL FAR instruction).

$ volatility -f imagename gdt

Volatility is a very powerful tool, which is able to detect even the most advanced rootkits if its being used properly.

The analyst should have good windows knowledge to

combine the different functions in a smart way and draw the right conclusions

False positives could be caused by security software like HIPS, AV or personal firewalls, as they act in a very similar way malware does. The only way to be 100% sure if the code is malicious or not the investigator has to disassemble the dumped code .

Conclusion

Other tools Mandiant Redline:- Mandiant Redline is an interesting tool which can analyse all the processes running on your PC, and then attempt to highlight any which might be malicious.